NI&S Directory

Basic Information

Software: OpenLDAP Database Size: 212MB Workload: 20 - 22 million search requests daily (less on weekends)

Middleware manages the OpenLDAP servers that provide directory services to the NEO environment, and NI&S manages the services such as FreeRADIUS and ClearPass that use that directory to authenticate and authorize users.

Directory Structure

Internal Configuration

cn=config
        cn=module{0},cn=config
        cn=schema,cn=config
                cn={0}core,cn=schema,cn=config
                cn={1}cosine,cn=schema,cn=config
                cn={2}inetorgperson,cn=schema,cn=config
                cn={3}radius,cn=schema,cn=config
                cn={4}radiusClient,cn=schema,cn=config
                cn={5}vtnis,cn=schema,cn=config
        olcDatabase={-1}frontend,cn=config
        olcDatabase={0}config,cn=config
        olcDatabase={1}mdb,cn=config
                olcOverlay={0}syncprov

Under the config tree the radius, radiusClient, vtnis entries are the most notable, each containing attributes useful for the FreeRadius servers which query the directory. Radius and RadiusClient define attributes, standard to the RADIUS protocol, which may be used internally by the radiusd process. VTNis defines custom attributes which are useful for authorizing VT affiliates network- and application-access.

Virginia Tech Data

o=vt
    ou=NIS,o=vt
        ou=People,ou=NIS,o=vt
        ou=Entitlements,ou=NIS,o=vt
        ou=Administrators,ou=NIS,o=vt
        ou=Local,ou=NIS,o=vt
            ou=Updaters,ou=Local,ou=NIS,o=vt
        ou=Configuration,ou=NIS,o=vt
            ou=F5,ou=Configuration,ou=NIS,o=vt
                ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt
            ou=FreeRADIUS,ou=Configuration,ou=NIS,o=vt
                ou=Clients,ou=FreeRADIUS,ou=Configuration,ou=NIS,o=vt

Under the VT tree are the actual records used for authentication and authorization for NEO’s customers. The People and Entitlement subtrees are the most often queried, and are important for authorizing wireless network access and access to various VPN’s provided by NIS. Records in the Administrators subtree contain accounts used for direct access to networking equipment or to various applications used to configure said equipment. A few of these accounts are used by applications to access networking equipment, rather than actual people.

The Local subtree contains a handful of accounts used to bind and query the directory. The FreeRadius and Clearpass software packages each have such an account, as do Cerberus and Orchestra. Additionally, the account used for syncrepl is in this subtree.

The Configuration subtree itself contains two important subtrees: one for F5 member groups and another for defining FreeRadius clients. The F5 member groups bundle the permissions a user might have on the F5 application. Radius clients are used to define which network application systems are allowed to send access requests to the FreeRadius servers.